Add deterministic release evidence bundle

Makefile

@@ -1,4 +1,4 @@
-.PHONY: validate validate-json validate-yaml validate-quadlet validate-render validate-evidence validate-governance validate-activation validate-supply-chain validate-package validate-cli validate-formula doctor probe
+.PHONY: validate validate-json validate-yaml validate-quadlet validate-render validate-evidence validate-governance validate-activation validate-supply-chain validate-release-bundle validate-package validate-cli validate-formula doctor probe
 
 PYTHON ?= python3
 RUBY ?= ruby
@@ -20,7 +20,7 @@ DECIDED_AT := 2026-05-04T12:51:00Z
 PYCLI := PYTHONPATH=src $(PYTHON) -m agent_machine.cli
 PYMOD := PYTHONPATH=src $(PYTHON) -m
 
-validate: validate-json validate-yaml validate-quadlet validate-render validate-evidence validate-governance validate-activation validate-supply-chain validate-package validate-cli validate-formula
+validate: validate-json validate-yaml validate-quadlet validate-render validate-evidence validate-governance validate-activation validate-supply-chain validate-release-bundle validate-package validate-cli validate-formula
 
 validate-json:
 	$(PYTHON) scripts/validate-json.py
@@ -62,6 +62,10 @@ validate-supply-chain:
 	$(PYTHON) scripts/validate-supply-chain.py
 	$(PYMOD) agent_machine.supply_chain $(PINNED_AGENTPOD) --strict
 
+validate-release-bundle:
+	$(PYTHON) scripts/validate-release-bundle.py
+	$(PYTHON) scripts/generate-release-evidence.py --pretty >/tmp/agent-machine-release-evidence-bundle.json
+
 validate-package:
 	$(PYTHON) scripts/validate-package.py
 

contracts/release-evidence-bundle.schema.json

@@ -0,0 +1,142 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "urn:srcos:agent-machine:schema:release-evidence-bundle:v0.1.0",
+  "title": "ReleaseEvidenceBundle",
+  "description": "Secret-free release evidence bundle tying together validation proof, commit identity, schema inventory, rendered artifact digests, supply-chain posture, and known blockers.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "specVersion",
+    "id",
+    "kind",
+    "release",
+    "source",
+    "validation",
+    "inventories",
+    "renderedArtifacts",
+    "supplyChain",
+    "readiness",
+    "knownBlockers",
+    "receiptSafety",
+    "generatedAt"
+  ],
+  "properties": {
+    "specVersion": { "type": "string", "const": "0.1.0" },
+    "id": {
+      "type": "string",
+      "pattern": "^urn:srcos:agent-machine:release-evidence-bundle:[a-z0-9][a-z0-9-]*$"
+    },
+    "kind": { "type": "string", "const": "ReleaseEvidenceBundle" },
+    "release": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["name", "maturity", "productionReady"],
+      "properties": {
+        "name": { "type": "string" },
+        "maturity": { "type": "string", "enum": ["prototype", "bootstrap-ready", "release-candidate", "production-blocked", "production-ready"] },
+        "productionReady": { "type": "boolean" },
+        "notes": { "type": "array", "items": { "type": "string" } }
+      }
+    },
+    "source": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["repository", "branch", "commitSha"],
+      "properties": {
+        "repository": { "type": "string" },
+        "branch": { "type": "string" },
+        "commitSha": { "type": "string", "pattern": "^[a-f0-9]{40}$" },
+        "pullRequest": { "type": ["integer", "null"], "minimum": 1 }
+      }
+    },
+    "validation": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["canonicalCommand", "status", "workflowRunId", "workflowJobName"],
+      "properties": {
+        "canonicalCommand": { "type": "string" },
+        "status": { "type": "string", "enum": ["passed", "failed", "unknown", "not-run"] },
+        "workflowRunId": { "type": ["integer", "null"], "minimum": 1 },
+        "workflowJobName": { "type": ["string", "null"] },
+        "validatedAt": { "type": ["string", "null"] }
+      }
+    },
+    "inventories": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["schemas", "examples", "docs"],
+      "properties": {
+        "schemas": { "$ref": "#/$defs/digestedFileList" },
+        "examples": { "$ref": "#/$defs/digestedFileList" },
+        "docs": { "$ref": "#/$defs/digestedFileList" }
+      }
+    },
+    "renderedArtifacts": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["name", "artifactKind", "digest"],
+        "properties": {
+          "name": { "type": "string" },
+          "artifactKind": { "type": "string" },
+          "path": { "type": ["string", "null"] },
+          "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }
+        }
+      }
+    },
+    "supplyChain": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["strictModeAvailable", "strictExamples", "mutableBootstrapExamples"],
+      "properties": {
+        "strictModeAvailable": { "type": "boolean" },
+        "strictExamples": { "$ref": "#/$defs/digestedFileList" },
+        "mutableBootstrapExamples": { "$ref": "#/$defs/digestedFileList" }
+      }
+    },
+    "readiness": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["bootstrapReady", "productionReady", "releaseGateRef"],
+      "properties": {
+        "bootstrapReady": { "type": "boolean" },
+        "productionReady": { "type": "boolean" },
+        "releaseGateRef": { "type": "string" },
+        "statusRef": { "type": ["string", "null"] }
+      }
+    },
+    "knownBlockers": {
+      "type": "array",
+      "items": { "type": "string" },
+      "uniqueItems": true
+    },
+    "receiptSafety": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["includeRawContent", "rawPromptContentIncluded", "rawKvCacheContentIncluded", "secretValuesIncluded", "privateMemoryIncluded"],
+      "properties": {
+        "includeRawContent": { "type": "boolean", "const": false },
+        "rawPromptContentIncluded": { "type": "boolean", "const": false },
+        "rawKvCacheContentIncluded": { "type": "boolean", "const": false },
+        "secretValuesIncluded": { "type": "boolean", "const": false },
+        "privateMemoryIncluded": { "type": "boolean", "const": false }
+      }
+    },
+    "generatedAt": { "type": "string" }
+  },
+  "$defs": {
+    "digestedFileList": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["path", "digest"],
+        "properties": {
+          "path": { "type": "string" },
+          "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }
+        }
+      }
+    }
+  }
+}

docs/architecture/release-evidence-bundle.md

@@ -0,0 +1,101 @@
+# Release Evidence Bundle
+
+Agent Machine release evidence bundles are deterministic, secret-free summaries of what was validated, what source revision was evaluated, which contract/example/doc inventories were present, which rendered artifacts were derived, what supply-chain posture was available, and which blockers remain.
+
+A bundle is not a signature by itself. It is the structured payload that future signing, transparency, and release-promotion flows can sign and publish.
+
+## Decision
+
+Agent Machine defines a `ReleaseEvidenceBundle` contract for bootstrap and release-candidate evidence.
+
+The bundle records:
+
+- repository identity;
+- branch and commit SHA;
+- optional pull request number;
+- validation command and workflow run ID;
+- schema inventory with file digests;
+- example inventory with file digests;
+- documentation inventory with file digests;
+- rendered artifact digests;
+- supply-chain strict-mode availability;
+- readiness state;
+- known blockers;
+- receipt-safety flags.
+
+## Current implementation
+
+Implemented now:
+
+- `contracts/release-evidence-bundle.schema.json`;
+- `examples/release-evidence-bundle.bootstrap.json`;
+- `src/agent_machine/release_bundle.py`;
+- `scripts/generate-release-evidence.py`;
+- `scripts/validate-release-bundle.py`;
+- `make validate-release-bundle`.
+
+## Validation commands
+
+Generate a bundle from the current checkout:
+
+```bash
+python3 scripts/generate-release-evidence.py --pretty
+```
+
+Validate bundle example and generated output:
+
+```bash
+python3 scripts/validate-release-bundle.py
+```
+
+Full validation:
+
+```bash
+make validate
+```
+
+## Bootstrap behavior
+
+The bootstrap bundle is intentionally secret-free and production-blocked. It may report `validation.status=unknown` when generated outside CI, but it still validates its schema, inventories, rendered artifact digests, supply-chain posture, known blockers, and receipt-safety posture.
+
+## Release-candidate behavior
+
+A release candidate should set:
+
+```text
+validation.status = passed
+validation.workflowRunId = <green run id>
+source.commitSha = <validated commit sha>
+source.pullRequest = <PR number, if applicable>
+```
+
+It must also have no unresolved release-candidate blockers for the relevant maturity level.
+
+## Production blockers
+
+The current bundle deliberately retains production blockers, including:
+
+- main-branch CI visibility and branch protection policy;
+- real image signature/provenance verification;
+- real Policy Fabric client or endpoint;
+- real Agent Registry grant resolver;
+- real AgentPlane evidence submission or staging client;
+- local LVM provisioning/probe implementation;
+- TopoLVM runtime integration beyond skeleton manifests;
+- provider discovery and controlled provider activation;
+- M2 Asahi host measurement and provider readiness data;
+- signed release evidence bundle;
+- rollback, teardown, and wipe workflows.
+
+## Future hardening
+
+Future release bundle work should add:
+
+- signed bundle envelopes;
+- provenance attestation references;
+- transparency-log submission references;
+- generated SBOM references;
+- real image signature verification result;
+- branch protection status;
+- release artifact digests;
+- rollback and wipe evidence references.

docs/index.md

@@ -21,6 +21,7 @@ Agent Machine is a bootstrap runtime-control substrate for SourceOS agent worklo
 | [Deployment safety](architecture/deployment-safety.md) | Skeleton-vs-production manifest rules and safety gates. |
 | [Receipt chain](architecture/receipt-chain.md) | AgentPod source to plan, manifest, receipt, policy, registry, and AgentPlane evidence. |
 | [Image digest pinning and provenance](architecture/image-digest-pinning-and-provenance.md) | Supply-chain strict-mode gate for digest-pinned release-candidate artifacts. |
+| [Release evidence bundle](architecture/release-evidence-bundle.md) | Deterministic validation/source/inventory/render/supply-chain/readiness bundle. |
 | [Runtime package layout](architecture/runtime-package-layout.md) | Migration from loose scripts to `src/agent_machine/` package modules. |
 | [Homebrew Python dependencies](architecture/homebrew-python-dependencies.md) | Current dependency strategy for render/evaluation commands. |
 | [Local LVM and TopoLVM profile](architecture/local-lvm-and-topolvm-profile.md) | Local and Kubernetes storage/cache/evidence profile. |
@@ -71,6 +72,7 @@ Important contract families:
 | `PolicyAdmission` | Policy Fabric admission decision/stub. |
 | `AgentRegistryGrant` | Agent Registry grant/stub. |
 | `ActivationDecision` | Final dry-run activation decision. |
+| `ReleaseEvidenceBundle` | Secret-free release validation/source/inventory/render/supply-chain/readiness evidence. |
 
 ## Validation
 
@@ -91,6 +93,7 @@ validate-evidence
 validate-governance
 validate-activation
 validate-supply-chain
+validate-release-bundle
 validate-package
 validate-cli
 validate-formula
@@ -111,5 +114,5 @@ Current blockers:
 - TopoLVM runtime integration beyond skeleton manifests;
 - provider discovery and controlled provider activation implementation;
 - M2 Asahi host measurement/provider readiness data;
-- release evidence bundle;
+- signed release evidence bundle;
 - rollback, teardown, and wipe workflows.

examples/release-evidence-bundle.bootstrap.json

@@ -0,0 +1,89 @@
+{
+  "specVersion": "0.1.0",
+  "id": "urn:srcos:agent-machine:release-evidence-bundle:bootstrap-v0-example",
+  "kind": "ReleaseEvidenceBundle",
+  "release": {
+    "name": "agent-machine-bootstrap-v0",
+    "maturity": "bootstrap-ready",
+    "productionReady": false,
+    "notes": [
+      "Example bundle shape only.",
+      "The generator produces a complete bundle from repository contents."
+    ]
+  },
+  "source": {
+    "repository": "SourceOS-Linux/agent-machine",
+    "branch": "main",
+    "commitSha": "0cba4c4774982ce4705c27f7c4ec1c0bcdfb0725",
+    "pullRequest": 11
+  },
+  "validation": {
+    "canonicalCommand": "make validate",
+    "status": "passed",
+    "workflowRunId": 25327418937,
+    "workflowJobName": "Validate contracts, examples, CLI, formula, and docs",
+    "validatedAt": "2026-05-04T15:21:00Z"
+  },
+  "inventories": {
+    "schemas": [
+      {
+        "path": "contracts/release-evidence-bundle.schema.json",
+        "digest": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+      }
+    ],
+    "examples": [
+      {
+        "path": "examples/local-podman-llama-cpp.agent-pod.json",
+        "digest": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+      }
+    ],
+    "docs": [
+      {
+        "path": "BOOTSTRAP_STATUS.md",
+        "digest": "sha256:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
+      }
+    ]
+  },
+  "renderedArtifacts": [
+    {
+      "name": "local-agentpod-plan",
+      "artifactKind": "AgentPodDeploymentPlan",
+      "path": null,
+      "digest": "sha256:dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
+    }
+  ],
+  "supplyChain": {
+    "strictModeAvailable": true,
+    "strictExamples": [
+      {
+        "path": "examples/local-podman-llama-cpp.pinned.agent-pod.json",
+        "digest": "sha256:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"
+      }
+    ],
+    "mutableBootstrapExamples": [
+      {
+        "path": "examples/local-podman-llama-cpp.agent-pod.json",
+        "digest": "sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      }
+    ]
+  },
+  "readiness": {
+    "bootstrapReady": true,
+    "productionReady": false,
+    "releaseGateRef": "docs/architecture/world-class-release-gate.md",
+    "statusRef": "BOOTSTRAP_STATUS.md"
+  },
+  "knownBlockers": [
+    "main-branch-ci-visibility-and-branch-protection-policy",
+    "real-policy-fabric-client-or-endpoint",
+    "real-agentplane-evidence-submission-or-staging-client"
+  ],
+  "receiptSafety": {
+    "includeRawContent": false,
+    "rawPromptContentIncluded": false,
+    "rawKvCacheContentIncluded": false,
+    "secretValuesIncluded": false,
+    "privateMemoryIncluded": false
+  },
+  "generatedAt": "2026-05-04T15:21:00Z"
+}